YOR920010359US1 

t 1 t 

Chaar et al 



SYSTEM AND METHOD FOR PROTECTING A TCP CONNECTION SERVING 
SYSTEM FROM HIGH- VOLUME OF TCP CONNECTION REQUESTS 

FIELD OF THE INVENTION 

The present invention relates generally to the TCP/IP (Transmission Control Protocol / 
Internet Protocol) based networks and systems and more particularly to those systems and 
components that keeps TCP connection related status information, such as the TCP connection 
control table, for the management of connections. Those management may include serving, 
filtering, load balancing, routing, redirecting, etc. of TCP connections. 

DESCRIPTION OF THE PRIOR ART 

The TCP/IP is a foundation for the world's largest network, Internet, as well as for the 
intranet and extranet, and it has become the core for data/voice/video communications and 
streaming. It has also become the major default communications protocols for connecting variety 
of digital entities. 

When a networked digital entity that keeps track of TCP connection states receives a 
very high- volume of legitimate and/or illegitimate TCP connection requests, it runs the risk of 
flooding its TCP connection-related tables, which often leads to system quiescence or system 
crash. Such digital entities include today's servers, storage area networks, network attached 
storage and clusters of such entities. Future entities may include memory subsystems, storage 
subsystems and more general I/O subsystems that can be independently deployed throughout the 
network to form the distributed components of a digital entity that are connected together via 
high-bandwidth networks. 
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It is known that the purpose of a SYN (synchronization) flood (i.e., sending of large 
volume of "false" TCP connection requests) is to create a large number of long-lasting half-open 
TCP connections to fill the TCP connection control table in order for no other new connection 
requests to be accepted. This is known as a denial of service attack. A half-open connection is a 
connection whose 3-way hand shake hasn't been completed yet. 

Every TCP connection establishment will experience some time duration for the 
half-open state before the associated TCP connection has been established. The duration of the 
half-open state depends on a number of parameters. Some of them include the conditions of two 
parties, how far two parties are located, what networks are being used to connect these two 
parties, congestion of these networks, the speed at which these two parties are connected to 
networks, and whether or not the intent of connection establishment is "sincere". In general, the 
half-open duration of a TCP connection establishment is short and is usually less than a second 
or so. A TCP connection request (from now on, simply a request or requests) associated with the 
SYN flood, for example, will eventually time-out. A typical time-out value is anywhere between 
60 seconds and 120 seconds. In this patent application, the term "legitimate" or "good" is used to 
reference a "sincere" TCP connection request, and the term "illegitimate" or "bad" is used to 
reference a "not-sincere" TCP connection request. 

A simple way to avoid filling up the TCP connection control table is to start discarding 
(or redirecting) future requests once a certain threshold of table utilization has been reached. This 
approach works well when no differentiation among TCP connection requests is needed. Some of 
major problems of this approach are (1) there is no way to differentiate legitimate requests from 
illegitimate requests (a preferable approach is to discard illegitimate requests first and then 
legitimates requests next if needed) and (2) the implementation of this approach requires some 
modification of existing systems, thus making its deployment more difficult. 

The way to determine whether or not a TCP connection request is legitimate is to accept 
the connection request (assuming the requester has a valid IP address and port number) and 
observe whether or not its TCP half-open connection state moves to the "connected" state or it 
simply faces the half-open time-out. Not every "timed-out" half-open request is illegitimate or 
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"not sincere". However, it is a good practice to discard or reset those TCP connection requests 
that stay in the half-open state unreasonably long. 

In the TCP/IP protocols, there is a time-out parameter for controlling the duration of the 
half-open state called "half-open time-out". T ho shall hereinafter denote this "half-open time-out". 
Clearly, by changing the value of T ho , one can control the maximum duration for each TCP 
connection request to stay in the half-open state. Once a connection request faces its time-out, the 
corresponding entry will be removed from the control table. The removed TCP connection 
request could be either simply discarded or reset. Therefore, the management of T ho leads to the 
management of the use (or usage) of the TCP connection control table. The Lucent Access Point 
(AP) product (www.lucent.com/products) allows a user to choose one of two operation modes 
corresponding to the half-open time-out. One mode corresponding to a normal operation and 
another corresponding to a critical mode called "SYN Defender". This "SYN Defender" mode 
can be invoked to protect systems from SYN Flood type denial of service attacks. The SYN 
Defender mode uses a very small value for T ho , thus limiting the life cycle of the half-open 
connection state for TCP connection request. The major limitations of this approach are that its 
operation mode is invoked manually, it supports only two states (normal and SYN Defender) and 
it is not adaptable to changes in operation environment. 



BRIEF SUMMARY OF THE INVENTION 



The object of this invention is to provide a system and method that protect a TCP 
connection serving system from high- volume of TCP connection requests (both good and bad) 
which often lead to system quiescence or crash by dynamically adjusting the half-open 
connection time-out T ho that is used to "clean up" the TCP connection control table. A T ho is 
defined for each TCP connection control table and it is dynamically adjusted. This invention has 
a means to observe the use (or usage) of the TCP connection control table(s), a means to compute 
the next T h0 value and a means to inform the value to any existing TCP/IP "stack". The T ho value 
ranges between the minimum Tmm and the maximum T max . 
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Another object of this invention is to make the system and method adaptable to different 
operating environment by dynamically adjusting the range [T min , T max ] in which T ho can operate. 
This invention has a means to derive both T mm and T max . Examples of operating environment of 
this invention include Internet, intranet, extranet, back-end network infrastructure, and storage 
area network. 

Yet another object of this invention is to provide an optional means that can be used to 
further protect a system with the TCP connection control table by preventing from fully utilizing 
the TCP connection control table by providing a means to throttle newly arriving TCP 
connection requests in the event that the table utilization had reached a predetermined level. 

Accordingly, the present invention broadly provides a method of regulating TCP/IP connection 
requests which await service in a system by a TCP/IP connection control table to prevent 
overload thereof, the aforesaid method comprising the steps of: 

a) monitoring usage of the aforesaid system on a dynamic basis, 

b) based upon the aforesaid usage, dynamically computing a time-out value 
Tho which defines the time duration that a TCP connection request may 
await service by the system, 

c) removing from the aforesaid TCP/IP connection control table all TCP/IP 
connection requests which have been awaiting service in said TCP/IP 
stack for a duration exceeding T h0 

Preferably, the aforesaid TCP/IP connection control table has a size N sl2e and an upper bound 
for usable table size of N abs < N size , and where values of T ho are dynamically computed in a 
range [T min? T max ] 

According to a preferred embodiment, the method according t a preferred embodiment of the 
invention comprises the steps of: 

i) setting T ho = T^n when N>N abs 
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ii) when N> Ni imit setting T h0 = max {T mm , T' h0 /A} , where T' ho is a previously 
existing value of T ho , where A>1, where N is the current usage of the table, 

and where 0< Ni»mit < N S i ze , and 

iii) when N<_ N tat , setting T ho = min{T maX5 A*T' ho } . 

According to another preferred embodiment, the method comprises the steps of: 

a) defining a plurality of table usage value Ni spanning an increasing range of 
H-OtoH =N size 

b) associating a corresponding plurality of time durations T t spanning a 
decreasing range of T^Tmax to T>T mm? and 

c) comparing current table usage N to N, and setting T ho to a corresponding 
value Ti. 

As an illustrative example, T min may have a value in a range of 0.01 to 1 .0 sees, and T max may 
have a value in a range of 60 to 120 sees. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 illustrates the definition of the size of a TCP connection control table. 

Figure 2 illustrates an exemplary range of half-open time-out, T h0 

Figure 3 illustrates the overall system and method, according to an embodiment of the 
invention 

Figure 4 illustrates a preferred algorithm that is used for managing the half-open 
connection time-out, T ho . 
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Figure 5 illustrates another algorithm that can be used for managing the half-open 
connection time-out, T ho . 

DETAILED DESCRIPTION OF THE INVENTION 

Figure 1 illustrates the definition of the size of a TCP connection control table. The value 
represents the size of the table and N represents the current use of the table. N is bounded by 
0 (zero) and N^. 

Figure 2 illustrates the value range of the half-open time-out T ho . T ho is bounded by the 
minimum time-out value T mm and the maximum time-out value T max . The T mi n value is usually 
less than 1 second and the T max value often used is either 60 seconds or 120 seconds depending 
on the installed TCP/IP stack. 

Figure 3 illustrates the overall system and method of this invention. The invented system 
300 interact with any existing system 301 that monitors the half-open TCP connections and 
manages them using the half-open connection time-out T ho . Table Use Monitor (TUM) 302 
monitors the use or usage of the TCP connection control table in a system 301. Half-open 
Connection Time-out Manager (HCTM) 303 computes the new value for T ho using the table use 
information made available by Table Use Monitor (TUM) 302, and then it informs the new value 
T h0 to a system 301. Algorithms for computing T ho are described later. The components 302 and 
303 are required components. Connection Time Range Adjuster (CTRA) 304 is an optional 
component and it re-computes the time range [T^, T max ]. CTRA 304 makes the invented system 
and method adaptable to different operating environments. CTRA 304 continuously monitors the 
shortest duration T sh0 rt of any half-open TCP connection and the longest duration Ti ong of any 
half-open TCP connection that didn't time-out. After observing T short and Ti ong , T min is set to T short 
and T^ is set to Ti ong , respectively. TCP Connection Request Throttler (TCRT) 305 is another 
optional component. The responsibility of this component is to discard or reset any newly 
arriving TCP connection requests had the table use level reached a predefined level of usage or 
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use. TCRT 305 operations can be performed for every newly arriving TCP connection request by 
checking the current TCP connection table usage in a system 301 . 

Figure 4 describes a preferred algorithm HCTM1 for computing the half-open time-out 
T h0 . In this algorithm, two thresholds N limit and N abs are used. Here, N iirai t is always less than N abs . 
Numit indicates the number of "safely" usable entries in the TCP connection control table and its 
value is between 0 (zero) and the table size N SIze . A reasonable N^t value is between 50% and 
90% of N slze . Nabs indicates the "absolute" bound and a reasonable value is between 90% and 
99% of N SIze . Algorithm HCTM1 uses these two thresholds for computing T ho > Algorithm 
HCTM1 repeats the following computation periodically. This period is preferably on the order of 
a second. If N is greater than N abs , then T ho is immediately set to the minimum value T mn to 
protect a system. If N is less than or equal to N abs and if N is greater than N hmit? then T ho is 
reduced by setting it to maxfT^, T h0 /A}. The max function is used to make sure that the value 
of Tho will never be less than the minimum bound T^. Here, A is a parameter called 
"acceleration" and is either a constant (e.g., 2) or a variable. The value of A must be greater than 
1 (one). If N is less than or equal then T ho is increased to min{T max , A*T ho }. The min 
function is used to make sure that the value of T ho never exceeds the maximum value T max . The 
value for A may be computed from the following: let n= ni + n 2 where ni indicates the number of 
times N has exceeded N hmi t in the last n observed cycles. Then, A can be set to as a function of 
2*( ni /n 2 ). 

Figure 5 illustrates yet another algorithm, Algorithm HCTM2, that can be used to 
compute the half-open time-out T ho in the Half-open Connection Time-out Manager (HCTM) 
component 303 in Figure 3. There are m thresholds called "trigger points", Ni, N 2 , ....N>, „..N m , 
and are in increasing order where Ni is the smallest and N m is the largest. For each trigger point 
Ni , a half-open time-out T, is assigned, where Tl = T max? and T m = T mm . Algorithm HCTM2 will 
repeat the following step periodically, just like Algorithm HCTM1 does. When the observed 
value N crosses over N, (i.e., N is between N, and N 1+1 ), the half-open time-out T ho is set to Ti . 
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While the present invention has been described with reference to preferred embodiments thereof, 
numerous obvious changes and variations may readily be made by persons skilled in the field of 
internet and other communications. Accordingly, the invention should be understood to include 
all such variations to the full extent embraced by the claims. 
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